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Abstract This article presents the formal semantics of a large subset of the C language 
called Clight. Clight includes pointer arithmetic, struct and union types, C loops and struc- 
tured switch statements. Clight is the source language of the CompCert verified compiler. 
The formal semantics of Clight is a big-step operational semantics that observes both ter- 
minating and diverging executions and produces traces of input/output events. The formal 
semantics of Clight is mechanized using the Coq proof assistant. In addition to the semantics 
of Clight, this article describes its integration in the CompCert verified compiler and several 
ways by which the semantics was validated. 

Keywords The C programming language • Operational semantics • Mechanized semantics • 
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1 Introduction 

Formal semantics of programming languages — that is, the mathematical specification of 
legal programs and their behaviors — play an important role in several areas of computer 
science. For advanced programmers and compiler writers, formal semantics provide a more 
precise alternative to the informal English descriptions that usually pass as language stan- 
dards. In the context of formal methods such as static analysis, model checking and program 
proof, formal semantics are required to validate the abstract interpretations and program log- 
ics (e.g. axiomatic semantics) used to analyze and reason about programs. The verification of 
programming tools such as compilers, type-checkers, static analyzers and program verifiers 
is another area where formal semantics for the languages involved is a prerequisite. While 



This work was supported by Agence Nationale de la Recherche, grant number ANR-05-SSIA-0019. 
S. Blazy 

ENSUE, 1 square de la Resistance, 91025 Evry cedex, France 
E-mail: Sandrine.Blazy@ensiie.fr 

X. Leroy 

INRIA Paris-Rocquencourt, B.R 105, 78153 Le Chesnay, France 
E-mail: Xavier.Leroy@inria.fr 



2 



formal semantics for realistic languages can be defined on paper using ordinary mathemat- 
ics I31lll6l l7l, machine assistance such as the use of proof assistants greatly facilitates their 
definition and uses. 

For high-level programming languages such as Java and functional languages, there ex- 
ists a sizeable body of mechanized formalizations and verifications of operational semantics, 
axiomatic semantics, and programming tools such as compilers and bytecode verifiers. De- 
spite being more popular for writing systems software and embedded software, lower-level 
languages such as C have attracted less interest: several formal semantics for various subsets 
of C have been published, but only a few have been mechanized. 

The present article reports on the definition of the formal semantics of a large subset 
of the C language called Clight. Clight features most of the types and operators of C, in- 
cluding pointer arithmetic, pointers to functions, and struct and union types, as well as 
all C control structures except goto. The semantics of Clight is mechanized using the Coq 
proof assistant 1 10,4|. It is presented as a big-step operational semantics that observes both 
terminating and diverging executions and produces traces of input/output events. The Clight 
subset of C and its semantics are presented in sections |2] and [3] respectively. 

The work presented in this paper is part of an ongoing project called CompCert that 
develops a realistic compiler for the C language and formally verifies that it preserves the 
semantics of the programs being compiled. A previous paper [6 | reports on the development 
and proof of semantic preservation in Coq of the front-end of this compiler: a translator from 
Clight to Cminor, a low-level, imperative intermediate language. The formal verification of 
the back-end of this compiler, which generates moderately optimized PowerPC assembly 
code from Cminor is described in 1281 . Section |4] describes the integration of the Clight 
language and its semantics within the CompCert compiler and its verification. 

Formal semantics for realistic programming languages are large and complicated. This 
raises the question of validating these semantics: how can we make sure that they correctly 
capture the expected behaviors? In section [5] we argue that the correctness proof of the 
CompCert compiler provides an indirect but original way to validate the semantics of Clight, 
and discuss other approaches to the validation problem that we considered. 

We finish this article by a discussion of related work in section [6l followed by future 
work and conclusions in sectionl?] 

Availability The Coq development underlying this article can be consulted on-line at 
77/ compcert . inria.f r| 



Notations [x,y[ denotes the semi-open interval of integers {n^'L\x<n<y\. For functions 
returning "option" types, (read: "some j:") corresponds to success with return value x, 
and (read: "none") corresponds to failure. In grammars, a* denotes 0, 1 or several occur- 
rences of syntactic category a, and a- denotes an optional occurrence of syntactic category a. 



1 Abstract syntax of Clight 

Clight is structured into expressions, statements and functions. In the Coq formalization, the 
abstract syntax is presented as inductive data types, therefore achieving a deep embedding 
of Clight into Coq. 
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Signedness: signedness 

Integer sizes: intsize 

Float sizes: floatsize 

Types: T 



Signed | Unsigned 
18 I 116 I 132 



F32 I F64 



i.nt{intsize , signedness ) 
ilo&tljioatsize) 



void 



Field lists: 
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array (T,n) 

pointer (t) 

f unction(T*, t) 

struct (id, (f>) 

union(('d, (p) 

conip_pointer(W) 

(W,T)* 



Fig. 1 Abstract syntax of Clight types. 



2.1 Types 



The abstract syntax of Clight types is given in figure [T] Supported types include arithmetic 
types (integers and floats in various sizes and signedness), array types, pointer types (includ- 
ing pointers to functions), function types, as well as struct and union types. Named types 
are omitted: we assume that typedef definitions have been expanded away during parsing 
and type-checking. 

The integral types fully specify the bit size of integers and floats, unlike the C types int, 
long, etc, whose sizes are left largely unspecified in the C standard. Typically, the parser 
maps int and long to size 132, float to size F32, and double to size F64. Currently, 64-bit 
integers and extended-precision floats are not supported. 

Array types carry the number n of elements of the array, as a compile-time constant. Ar- 
rays with unknown sizes (t [] in C) are replaced by pointer types in function parameter lists. 
Their only other use in C is within extern declarations of arrays, which are not supported 
in Clight. 

Functions types specify the number and types of the function arguments and the type of 
the function result. Variadic functions and unprototyped functions (in the style of Ritchie's 
pre-standard C) are not supported. 

In C, struct and union types are named and compared by name. This enables the 
definition of recursive struct types such as struct si { int n; struct * si next;}. 
Recursion within such types must go through a pointer type. For instance, the following is 
not allowed in C: struct s2 ■[ int n; struct s2 next ;>. To obviate the need to carry 
around a typing environment mapping struct and union names to their definitions, Clight 
struct and union types are structural: they carry a local identifier id and the list (p of their 
fields (names and types). Bit-fields are not supported. These types are compared by struc- 
ture, like all other Clight types. In structural type systems, recursive types are traditionally 
represented with a fixpoint operator p.a.T, where a names the type /xa.T within T. We 
adapt this idea to Clight: within a struct or union type, the type comp_pointer(!<i) stands 
for a pointer type to the nearest enclosing struct or union type named id. For example, the 
structure si defined previously in C is expressed by 



struct(sl, (n, int(l32, signed)) (next, comp_pointer(sl))) 
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Expressions: 



a 



id 



variable identifier 
integer constant 
float constant 
size of a type 

unary aritlimetic operation 
binary arithmetic operation 
pointer dereferencing 
field access 
taking the address of 
type cast 

conditional expressions 



n 



f 

slzeof (t) 
opj a 
a I op2 02 
*a 
a. id 
ka 



iT)a 



ai ? a2 : 03 



Unary operators: 
Binary operators: 




+ I - I * I / I •/. 
« I » I & I I I - 

< I <= I > I >= I =: 



arithmetic operators 
bitwise operators 
! = relational operators 



Fig. 2 Abstract syntax of Clight expressions 

Incorrect structures such as s2 above cannot be expressed at all, since comp_po inter let us 
refer to a pointer to an enclosing struct or union, but not to the struct or tmion directly. 

Clight does not support any of the type qualifiers of C (const, volatile, restrict). 
These qualifiers are simply erased during parsing. 

The following operations over types are defined: sizeof (t) returns the storage size, in 
bytes, of type t, and f ield_of f set(!<i, (p) returns the byte offset of the field named id in a 
struct whose field list is (p, or if id does not appear in (p. The Coq development gives 
concrete definitions for these functions, compatible with the PowerPC ABI f48 ' chap. 3]. 
Typically, struct fields are laid out consecutively and padding is inserted so that each field 
is naturally aligned. Here are the only properties that a Clight producer or user needs to rely 
on: 

- Sizes are positive: sizeof (t) > for all types T. 

- Field offsets are within the range of allowed byte offsets for their enclosing struct: if 
f ield_of f set(ic?, 9) = [5] and T is the type associated with id in (p, then 



- Different fields correspond to disjoint byte ranges: if f ield_of f set(iy,-, 9) = [5,J and 
T,- is the type associated with id; in (p and idi ^ id2, then 



- When a struct is a prefix of another struct, fields shared between the two struct have 
the same offsets: if field.off set (id, 9) = [5J , then field.off set(i(f, 9.9') = [5\ for 
all additional fields 9'. 

2.2 Expressions 



[5, 5 + sizeof (t) [ C [0, sizeof (struct id' 9) [. 



[5\,Si + sizeof (Ti)[n [82, §2 + sizeof (T2)[ = 0. 



The syntax of expressions is given in figure |2] All expressions and their sub-expressions 
are annotated by their static types. In the Coq formalization, expressions a are therefore 
pairs {b, t) of a type T and a term b of an inductive datatype determining the kind and 



5 



Statements: 



Switch cases: 



skip 

a[ = (32 
a, =a2{a*) 
a{a*) 
si;s2 

if (a) si else S2 
switch(a) sw 
while (a) s 
do s while (a) 
for{si,a2,S3) s 
break 
continue 
return a' 

::= default : .v 
I case n : s;sw 



empty statement 
assignment 
function call 
procedure call 
sequence 
conditional 
multi-way branch 
"while" loop 
"do" loop 
"for" loop 

exit from the current loop 

next iteration of the current loop 

return from current function 

default case 
labeled case 



Fig. 3 Abstract syntax of CUght statements. 



arguments of the expression. In this paper, we omit the type annotations over expressions, 
but write type(a) for the type annotating the expression a. The types carried by expressions 
are necessary to determine the semantics of type-dependent operators such as overloaded 
arithmetic operators. The following expressions can occur in left-value position: id, *a, and 
a. id. 



Within expressions, only side-effect free operators of C are supported, but not assign- 
ment operators (=, +=, ++, etc) nor function calls. In Clight, assignments and function calls 
are presented as statements and cannot occur within expressions. As a consequence, all 
Clight expressions always terminate and are pure: their evaluation performs no side effects. 
The first motivation for this design decision is to ensure determinism of evaluation. The 
C standard leaves evaluation order within expressions partially unspecified. If expressions 
can contain side-effects, different evaluation orders can lead to different results. As demon- 
strated by Norrish [361 , capturing exactly the amount of nondeterminism permitted by the 
C standard complicates a formal semantics. 

It is of course possible to commit on a particular evaluation order in a formal seman- 
tics for C. (Most C compiler choose a fixed evaluation order, typically right-to-left.) This is 
the approach we followed in an earlier version of this work |6|. Deterministic side-effects 
within expressions can be accommodated relatively easily with some styles of semantics 
(such as the big-step operational semantics of |6|), but complicate or even prevent other 
forms of semantics. In particular, it is much easier to define axiomatic semantics such as 
Hoare logic and separation logic if expressions are terminating and pure: in this case, syn- 
tactic expressions can safely be used as part of the logical assertions of the logic. Likewise, 
abstract interpretations and other forms of static analysis are much simplified if expressions 
are pure. Most static analysis and program verification tools for C actually start by pulling 
assignments and function calls out of expressions, and only then perform analyses over pure 
expressions l9l fT3p2ll8lfT]fT7l . 
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Variable declai'ations: del 

Internal function definitions: F 

External function declarations: Fe 

Functions: Fd 

Programs: P 



= (t id)* name and type 

= T id{dcl[) {dch; s} {dcl\ = parameters, = local variables) 
= extern T id{dcl) 

= F \ Fe internal or external 

= (ic/;Frf*;main = id global variables, functions, entry point 



Fig. 4 Abstract syntax of Clight functions and programs. 



Some forms of C expressions are omitted in the abstract syntax but can be expressed as 
syntactic sugar: 

array access: ai[a2] = *(ai+a2) 

indirect field access: a->id = *{a.id) 
sequential "and": a\ && 02 = ai ? {02 ? I : 0) : 
sequential "or": ci I I 02 = ai ? 1 : (02 ? 1 : 0) 



2.3 Statements 

Figure [3] defines the syntax of Clight statements. All structured control statements of C 
(conditional, loops, Java-style switch, break, continue and return) are supported, but 
not unstructured statements such as goto and unstructured switch like the infamous "Duff's 
device" 1 12]. As previously mentioned, assignment ai = 02 of an r- value 02 to an 1- value ai, 
as well as function calls, are treated as statements. For function calls, the result can either 
be assigned to an I-value or discarded. 

Blocks are omitted because block-scoped variables are not supported in Clight: variables 
are declared either with global scope at the level of programs, or with function scope at the 
beginning of functions. 

The for loop is written ior{si,a2,ST,) s, where si is executed once at the beginning of 
the loop, 02 is the loop condition, ^3 is executed at the end of each iteration, and s is the loop 
body. In C, and are expressions, which are evaluated for their side effects. In Clight, 
since expressions are pure, we use statements instead. (However, the semantics requires that 
these statements terminate normally, but not by e.g. break.) 

A switch statement consists in an expression and a list of cases. A case is a statement 
labeled by an integer constant (case n) or by the keyword default. Contrary to C, the 
default case is mandatory in a Clight switch statement and must occur last. 



2.4 Functions and programs 

A Clight program is composed of a list of declarations for global variables (name and type), 
a list of functions (see figure m and an identifier naming the entry point of the program (the 
main function in C). The Coq formalization supports a rudimentary form of initialization for 
global variables, where an initializer is a sequence of integer or floating-point constants; we 
omit this feature in this article. 

Functions come in two flavors: internal or external. An internal function, written 
T id{dcl\) {dcl2\ s}, is defined within the language. T is the return type, id the name of 
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the function, dcli its parameters (names and types), dcl2 its local variables, and s its body. 
External functions extern T id(dci) are merely declared, but not implemented. They are 
intended to model "system calls", whose result is provided by the operating system instead 
of being computed by a piece of Clight code. 

3 Formal semantics for Clight 

We now formalize the dynamic semantics of Clight, using natural semantics, also known as 
big-step operational semantics. The natural semantics observe the final result of program ex- 
ecution (divergence or termination), as well as a trace of the invocations of external functions 
performed by the program. The latter represents the input/output behavior of the program. 
Owing to the restriction that expressions are pure (section |Z2] |. the dynamic semantics is 
deterministic. 

The static semantics of Clight (that is, its typing rules) has not been formally specified 
yet. The dynamic semantics is defined without assuming that the program is well-typed, and 
in particular without assuming that the type annotations over expressions are consistent. If 
they are inconsistent, the dynamic semantics can be undefined (the program goes wrong), or 
be defined but differ from what the C standard prescribes. 

3.1 Evaluation judgements 

The semantics is defined by the 10 judgements (predicates) listed below. They use semantic 
quantities such as values, environments, etc, that are summarized in figure[5]and explained 
later. 

G,E h a,M -4= i (evaluation of expressions in 1-value position) 

G,E \~ a,M =4> V (evaluation of expressions in r-value position) 

G,E h a* ,M =>v* (evaluation of lists of expressions) 

G,E h s,M =k- out,M' (execution of statements, terminating case) 
G,E \- sw,M 4> out,M' (execution of the cases of a switch, terminating case) 
G h Fd{v*),M =k- v,M' (evaluation of function invocations, terminating case) 

T 

G,E h s,M (execution of statements, diverging case) 

T 

G,E \- sw,M °° (execution of the cases of a switch, diverging case) 

T 

G h Fd{v*),M =^ oo (evaluation of function invocations, diverging case) 
\- P B (execution of whole programs) 

Each judgement relates a syntactic element to the result of executing this syntactic el- 
ement. For an expression in 1-value position, the result is a location t. a pair of a block 
identifier b and a byte offset 5 within this block. For an expression in r-value position and 
for a function application, the result is a value v: the discriminated union of 32-bit integers, 
64-bit floating-point numbers, locations (representing the value of pointers), and the special 
value undef representing the contents of uninitialized memory. Clight does not support as- 
signment between struct or union, nor passing a struct or union by value to a function; 
therefore, struct and union values need not be represented. 

Following Norrish |36| and Huisman and Jacobs [211, the result associated with the 
execution of a statement s is an outcome out indicating how the execution terminated: ei- 
ther normally by running to completion or prematurely via a break, continue or return 
statement. 
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Block references: 


h 


el 




Memory locations: 


I 


■■= {b,S) 


byte offset 5 (a 32-bit integer) within block b 


Values: 


V 


:= int(n) 


integer value (« is a 32-bit integer) 






1 f loat(/) 


floating-point value (/ is a 64-bit float) 






1 Ptr(£) 


pointer value 






1 undef 


undefined value 


Statement outcomes: 


out 


:= Normal 


continue with next statement 






1 Continue 


go to the next iteration of the cun'ent loop 






1 Break 


exit from the current loop 






1 Return 


function exit 






1 Return(i') 


function exit, returning the value v 


Global environments: 


G 


:= {id ^ b) 


map from global variables to block references 








and map from function references to function definitions 


Local environments: 


E 


:= id h 


map from local variables to block references 


Memory states: 


M 


:= bh^ {lo,hi,S i-^v) 


map from block references to bounds and contents 


Memory quantities: 


K 


:= intSsigned | intSunslgned 






1 intlBsigned | intlBunsigned 






1 int32 1 f loat32 


f loat64 


I/O values: 


Vv 


:= int(«) 1 f loat(/) 




I/O events: 


V 


:= id{vv'' 1-^ Vv) 


name of external function, argument values, result value 


Traces: 


t 


:= £ 1 v.t 


finite traces (inductive) 




T 


:=£ V.T 


finite or infinite traces (coinductive) 


Program behaviors: 


B 


:= terminates(r.ji) 


termination with trace t and exit code n 






1 diverges(r) 


divergence with trace T 



Operations over memory states: 
alloc (M,/o,/!i) = {M',b) 
fTee{M,b) =M' 
load(K-,M,fc,n) = [vj 



stOTe{K, M,b,n.v) = [M'\ 



Allocate a fresh block of bounds [lo, hi[. 
Free (invalidate) the block b. 

Read one or several consecutive bytes (as determined by K) at block b, 
offset n in memory state M. If successful return the contents of these 
bytes as value v. 

Store the value v into one or several consecutive bytes (as determined 
by k) at offset n in block b of memory state M. If successful, return an 
updated memory state M'. 

Operations over global environments: 
f unct(G,fo) = [b] Return the function definition Fd corresponding to the block b, if any. 
symbol (CW) = [h\ Return the block b corresponding to the global variable or function name id. 
globalenv(P) = G Construct the global environment G associated with the program P. 
initmem(P) = M Construct the initial memory state M for executing the program P. 



Fig. 5 Semantic elements: values, environments, memory states, statement outcomes, etc 



Most judgements are parameterized by a global environment G, a local environment E, 
and an initial memory state M. Local environments map function-scoped variables to refer- 
ences of memory blocks containing the values of these variables. (This indirection through 
memory is needed to allow the & operator to take the address of a variable.) These blocks 
are allocated at function entry and freed at function return (see rule [32] in figure [TOll. Like- 
wise, the global environment G associates block references to program-global variables and 
functions. It also records the definitions of functions. 

The memory model used in our semantics is detailed in |29 1. Memory states M are 
modeled as a collection of blocks separated by construction and identified by integers b. 
Each block has lower and upper bounds lo, hi, fixed at allocation time, and associates values 
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Expressions in 1-value position: 

E{id) = h or [id ^ Dom(£:) and symbol(G,/rf) = \b\) G,E h ciM =^ ptr(<') 

G,E^id,M ■i=(h,{)) G.Eh*a,M^i 
G,Eh a,M ^ {b,S) typ6(fl) = struct(!V/', (p) f ield.of f set(;y, (p) = [5'J 



G,E^ a.id,M ■i^(h,S + S') 
G,E\-a,M^£ tjpe{a) =\iD.ion(id',(p) 



(3) 



(4) 



G,Eha.id,M-^i 

Expressions in r-value position: 

G,Ehn,M^int{n) (5) G,£ h /,M ^ f loat{/) (6) 

G,E\-a.M^e loadval(type(a),M'.f) = [vj 

G,£ h sizeof (t),M^ int(sizeof (t)) (7) W 

G,E h a,M => V 

G,E\-a,M-i^£ GjiJ h flijA/ =^ vi eval_unop(op| ,vi , type(ai)) = [vJ ^^^^ 



G,£'l-&o,M=^ptr(£) G,£ hopi ai,M=>i' 

G,£hai,M=^vi G,£ h d(2,'Wi i'2 eval_binop(o/)2,V|,type(ai),V2,type(fl2)) = [vJ ^^^^ 

G,E \- ai op2 a2,M 
G,E\-ai,M^V[ is_true(vi ,type(ai)) G,-E h 02:^ =^ V2 



G,E h ? fl2 ■ ai,M =^ V2 
G,£'l-ai,M=M'i is_f alse(\'i,type(ai)) G,£ h c/3,M V3 



(12) 
(13) 



G,i; h ai ? «2 : 03. M V3 
G.E \- a.M ^ V[ cast (vi, type (a), t) = [vJ 
G,E\-(r)a,M^v 

Fig. 6 Natural semantics for Clight expressions 



(14) 



to byte offsets 5 e [lo,hi[. The basic operations over memory states are alloc, free, load 
and store, as summarized in figure[5] 

Since Clight expressions are pure, the memory state is not modified during expression 
evaluation. It is modified, however, during the execution of statements and function calls. 
The corresponding judgements therefore return an updated memory state M'. They also 
produce a trace t of the external functions (system calls) invoked during execution. Each 
such invocation is described by an input/output event v recording the name of the external 
function invoked, the arguments provided by the program, and the result value provided by 
the operating system. 

In addition to terminating behaviors, the semantics also characterizes divergence during 
the execution of a statement or of a function call. The treatment of divergence follows the 
coinductive natural approach of Leroy and Grail |30]. The result of a diverging execution is 
the trace T (possibly infinite) of input/output events performed. 

In the Coq specification, the judgements of the dynamic semantics are encoded as mu- 
tually inductive predicates (for terminating executions) and mutually coinductive predicates 
(for diverging executions). Each defining case of each predicate corresponds exactly to an in- 
ference rule in the conventional, on-paper presentation of natural semantics. We show most 
of the inference rules in figures[6]to[T2l and explain them in the remainder of this section. 
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Access modes: 



::= By_value(K') 
I By .reference 
I By .nothing 



access by value 
access by reference 
no access 



Associating access modes to Clight types: 

i2/(int(I8, Signed)) = By.value(int8signed) 
^(int(l8. Unsigned)) = By.value(int8unsigned) 
i/(int(ll6, Signed)) = By.value(intl6signed) 
i2/(int(ll6, Unsigned)) = By.value(intl6unsigned) 
£/(int(l32,.)) = By.value(int32) 
jz/(pointer(.)) = By.value(int32) 



j2/(array(.,.)) = By.reference 
^(function(., .)) = Byjreference 
£/(struct)(.,.)) = Byjiothing 
^/(union) (.,.)) = Byjiothing 
J^/{■void) = Byjiothing 



Accessing or updating a value of type T at location {h, S) in memory state M: 



loadval(T,M, (/),5)) = losLd{K,M,b,S) 
loadval(T,M,(Z),5)) = l{b,S)\ 
loadval(T,M,(Z),5)) = 

storeval(T,M,(Z),5),v) = store(lf,M,Z), 5, 

storeval(T,M, 5),v) = 



if £/(t) = By.value()c) 
if (t) = By .reference 
if s/ (t) = Byjiothing 
if £/( t) = By .value ( k) 
otherwise 



Fig. 7 Memory accesses. 



3.2 Evaluation of expressions 

Expressions in l-value position The first four rules of figure |6]illustrate the evaluation of an 
expression in l-value position. A variable id evaluates to the location (^7,0), where b is the 
block associated with id in the local environment E or the global environment G (rule[T]l. If 
an expression a evaluates (as an r- value) to a pointer value ptr(£), then the location of the 
dereferencing expression *a is I (mle[2ll. 

For field accesses a. id, the location £ = {b, 5) of a is computed. If a has union type, 
this location is returned unchanged. (All fields of a union share the same position.) If a has 
struct type, the offset of field id is computed using the f ield_of f set function, then added 
to d. 



From memory locations to values The evaluation of an l-value expression a in r-value posi- 
tion depends on the type of a (rule[8ll. If a has scalar type, its value is loaded from memory 
at the location of a. If a has array type, its value is equal to its location. Finally, some types 
cannot be used in r-value position: this includes void in C and struct and union types 
in Clight (because of the restriction that structs and unions cannot be passed by value). To 
capture these three cases, figure [7] defines the function ia/ that maps Clight types to access 
modes, which can be one of: "by value", with a memory quantity K (an access loads a quan- 
tity K from the address of the l-value); "by reference" (an access simply returns the address 
of the l-value); or "by nothing" (no access is allowed). The loadval and storeval func- 
tions, also defined in figure[7l exploit address modes to implement the correct semantics for 
conversion of l-value to r-value (loadval) and assignment to an l-value (storeval). 

Expressions in r-value position Rules [5] to [l4] of figure [6] illustrate the evaluation of an 
expression in r-value position. Rule [8] evaluates an l-value expression in an r-value context. 
The expression is evaluated to its location I. From this location, a value is deduced using 
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(20) 



G,£l-skip,M=> Normal, M (15) G,^ h break,M Break,M (16) 

G,E h continue, M 4> Continue, M (17) G,£ h (return 0),M 4> Return, M (18) 

G,£l-a,M^i' ^^^^ 
G,£h (return [flJ),M 4> Return(v),M 
G,£:i-ai,M^<; G,£:i-a2,M=>v storeval(type(fli),M,£,v) = [M'J 
G,£l-(ai = fl2),M4> Normal, M' 
G,^!-^!,;^;^^ Normal, Ml G,E h S2,Mi ^ out,M2 
G,£h(ii;i2),M'l4?OH<,M2 
G,£ h ii,M 4> OMi,A/' OMf^ Normal 
G,Eh(si;s2),M^out,M' 

Fig. 8 Natural semantics for Clight statements (other than loops and switch statements) 



the loadval function described above. By mle|9l &a evaluates to the pointer value ptr(£) as 
soon as the 1-value a evaluates to the location I. 

Rules [To] and [TT| describe the evaluation of unary and binary operations. Taking binary 
operations as an example, the two argument expressions are evaluated and their values vi , V2 
are combined using the the eval_binop function, which takes as additional arguments the 
types Ti and T2 of the arguments, in order to resolve overloaded and type-dependent oper- 
ators. To give the general flavor of eval_binop, here are the cases corresponding to binary 
addition: 

jTi T2 VI V2 eval_binop(+, VI, Ti, V2, 12) 

int(_) iiit(_) int(«i) int(w2) [int(«i +«2)J 
float(.) float(.) float(/i) float(/2) [float(/i -F/2)J 
ptr(T) int(_) ptr(^),5) int(«) [ptr(Z7, 5 +n X sizeof (t))J 
int(_) ptr(T) int(«) ptr(Z?,5) [ptr(fc, 5 +n X sizeof (t))J 
Otherwise 

The definition above rejects mixed arithmetic such as "int -|- float" because the parser that 
generates Clight abstract syntax (described in section 14.11 never produces this: it inserts 
explicit casts from integers to floats in this case. However, it would be easy to add cases 
dealing with mixed arithmetic. Likewise, the definition above adds two single precision 
floats using double-precision addition, in violation of the ISO C standard. Again, it would 
be easy to recognize this case and perform a single-precision addition. 

Rules [T2I and 1131 define the evaluation of conditional expressions a\ ? 02 : 03. The 
predicates is_true and is_false determine the truth value of the value of fli, depending 
on its type. At a float type, float (0.0) is false and any other float value is true. At an int 
or ptr type, int(O) is false and int(n) (n ^ 0) and ptr(i') values are true. (The null pointer 
is represented as int(O).) All other combinations of values and types are neither true nor 
false, causing the semantics to go wrong. 

Rule [14] evaluates a cast expression {x)a. The expression a is evaluated, and its value 
is converted from its natural type type (a) to the expected type t using the partial function 
cast. This function performs appropriate conversions, truncations and sign-extensions be- 
tween integers and floats. We take a lax interpretation of casts involving pointer types: if the 
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Outcome updates (at the end of a loop execution): 



loop loop , loop . 

Break Normal Return Return Return(i') ~> Return(v) 



while loops: 



G,E\-a,M^v is_true(i',type(fl)) 
G,Eha,M^v is_f alse(i'.type(a)) , , loon 

L_Jl£__li (23) G.Ehs.M^out.M' out out' 

: 1 : (24) 



G,E h (while(fl) s),M =^ Normal, M 



G,E h (while(a) s),M out' ,M' 



G,E^a,M^v is_true(v,type(<3)) 
G.E h s,M 4> {Normal | Continue), Mi G,E h (while(a) s),Mi ^ out" ,M2 



(25) 



G,E\- (while (fl) s),m''4? out' .Mi 



(26) 



for loops: 

skip G,E h ii,M 4> Normal, Ml G,^ h (f or(skip,a2,i'3) ^ onr,M2 

G,£ h (for(ii,a2,.«3) s),m'W out,M2 

G,E\-a2,M^v is_true(v,type(fl2)) 
G,£ha2,M^v is.false(i' type(a2)) /oo,; 
(^') G,i? h .v,M 4> OHfi,Mi o«/i ~> out 

G,£ h (for(skip.flT,.vi) s),M 4- Normal. M ; *- ' 

G,E h (f or(skip,ci2,*3) s),M ^ out,M[ 

G,E h a2<W =^ I' is_true(v, type(a2)) 
G,E^ s.M ^ (Normal | Continue), Mi G,E\- s^,M\ ^ Normal, M2 
G,E I- (f or(skip,a2,i3) i),M2 4> out.M^ 



(29) 



G,^ h (for(skip, 02,^3) ),m''^'-^ oh?,M3 



Fig. 9 Natural semantics for Clight loops 



source and destination types are both either pointer types or 32-bit int types, any pointer 
or integer value can be converted between these types without change of representation. 
However, the cast function fails when converting between pointer types and float or small 
integer types, for example. 



3.3 Statements and function invocations, terminating case 

The rules in figure [8] define the execution of a statement that is neither a loop nor a switch 
statement. The execution of a skip statement yields the Normal outcome and the empty trace 
(mlellSll. Similarly, the execution of a break (resp. continue) statement yields the Break 
(resp. Continue) outcome and the empty trace (rules [T6l and 117b. Rules [T8lll9l describe 
the execution of a return statement. The execution of a return statement evaluates the 
argument of the return, if any, and yields a Return outcome and the empty trace. 

Rule|20]executes an assignment statement. An assigrmient statement ai = ai evaluates 
the 1-value ai to a location t and the r- value 02 to a value v, then stores v at £ using the 
storeval function of figure [71 producing the final memory state M' . We assume that the 
types of fli and 02 are identical, therefore no implicit cast is performed during assignment, 
unlike in C. (The Clight parser described in section lTTI inserts an explicit cast on the r-value 
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(30) 



Function calls: 

G,E h afii„,M =^ ptr(ii.O) G,E h aargs,M =^ Vargs 
±\mct{G,b) = [Fd] type.of _f undef (Frf) = type(a/„„) G h Fd{va,gs),M 4> VresM' 

G.E h af„„{aargs),M =k- v„.,,M' 

G,E\-a,M CEh «/•„„, M^ptr(^),0) G.£ h ^ vv^., 

funct(G,Z)) = [Fd\ type.of _f undef (frf) = type(a^„„) G h Fd{vargs),M =4> vVfi.'Wi 

storeval(type(a),Mi,ptr(f),v„.,) = [M2J ^^^^ 

G, £ h a = fl /„„ (aarj., ) , M 4> Vr„ , M2 

Compatibility between values, outcomes and return types: 

Normal, void # undef Return, void # undef Return(i'), T # v when T ^ void 

Function invocations: 

F = id{dch){dcl2;s} 
alloc_vars(M,dc/| +dcl2,E) = (Mi,i)*) bind_params(£',Mi .dc/i ,Vo,y,) = M2 

G,E h S,M2 =k- 0Ut,M3 out, T#Vres 



(32) 



G h F{vi,rgs),M 4> iVc!,free(M3,fo*) 
Fe = extern T id[dd) V = id{v„,-gs,Vr„) 



(33) 



G h Fe(va,-j.,),M v„.,,M 
Fig. 10 Natural semantics for function calls 



02 when necessary.) Note that storeval fails if ai has a struct or union type: assignments 
between composite data types are not supported in Clight. 

The execution of a sequence of two statements starts with the execution of the first 
statement, thus yielding an outcome that determines whether the second statement must be 
executed or not (rules [27] and I22ll. The resulting trace is the concatenation of both traces 
originating from both statement executions. 

The rules in figure|9]define the execution of while and for loops. (The rules describing 
the execution of dowhile loops resemble the rules for while loops and are omitted in this 
paper.) Once the condition of a while loop is evaluated to a value v, if v is false, the execution 
of the loop terminates normally, with an empty trace (rules [23] andl27l). If v is true, the loop 
body s is executed, thus yielding an outcome out (rules l24l|25l|28| and|29l>. If out is Normal or 
Continue, the whole loop is re-executed in the memory state modified by the first execution 
of the body. In s, the execution of a continue statement interrupts the current execution 
of the loop body and triggers the next iteration of s. If out is Break, the loop terminates 
normally; if out is Return, the loop terminates prematurely with the same outcome (rules l24l 

and|28ll. The relation models this evolution of outcomes after the premature end of the 
execution of a loop body. 

Rules |261|29I describe the execution of a for(ii,a2, J3) s loop. Rule 1261 executes the 
initial statement 51 of a for loop, which must terminate normally. Then, the loop with an 
empty initial statement is executed in a way similar to that of a while loop (rules I27ll29l l. If 
the body s terminates normally or by performing a continue, the statement 53 is executed 
before re-executing the for loop. As in the case of si, it must be the case that 53 terminates 
normally. 
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G.fi hii.M^." CfhsLM^ Normal, A/i G.f h ii.M, 4 ~ 

' (34) • (35) 



G,£l-s,;i2,M4>~ G,£l-ii;i2,M^~ 

T 

G.Eha.M^v is_true(v.type(a)) G.i? h .v.M £» 

^ ^ (36) 

G,^ h (while (a) 4 " 

G,E\-a,M^v is_true(i',type(a)) 

G.E h .s,M 4> (Normal I Continue). Mi G.E h (while(o) s)M\ 4> ~ 

= ^ \ = (37) 

G,£'h(while(a)i-),M^4^oo 

G,E h Ufun.M =^ ptr(/),0) G.il h OargsM I'aiys 

funct(G,fe) = [FrfJ type.of _fundef (Fd) = type(a/„„) G h Fd(v„,-g,)-M =^ °° 

' (38) 

G,£ h fl^„„(flfl,-gj),M 4> oo 

f = Tiy(rfc/i){dc/2;i} 
alloc_vars(M,ddi +dch,E) = (Mi, 6*) bind_params(£',Mi,rfc/|,i'orgi) =M2 

G,£l-i,M2 4.00 

(39) 

GI-F(v„,-,,,),m4oo 

Fig. 11 Natural semantics for divergence (selected rules) 



We omit the rules for switch(a) sw statements, which are standard. Based on the integer 
value of a, the appropriate case of sw is selected, and the corresponding suffix of sw is 
executed like a sequence, therefore implementing the "fall-through" behavior of switch 
cases. A Break outcome for one of the cases terminates the switch normally. 

The rules of figure [TO] define the execution of a call statement afun{aargs) or 
a = afu„{aargs)- The expression ay„„ is evaluated to a function pointer ptr(/7,0), and 
the reference h is resolved to the corresponding function definition Fd using the global 
environment G. This function definition is then invoked on the values of the arguments Oargs 
as per the judgment G h Fd{vargs),M t,M'. If needed, the returned value Vres is then 
stored in the location of the 1-value a (rules [30landl31b. 

The invocation of an internal Clight function F (mlel32b allocates the memory required 
for storing the formal parameters and the local variables of F, using the alloc_vars func- 
tion. This function allocates one block for each variable id : t, with lower bound and upper 
bound sizeof (t), using the alloc primitive of the memory model. These blocks initially 
contain undef values. Then, the bind_params function iterates the storeval function in 
order to initialize formal parameters to the values of the corresponding arguments. 

The body of F is then executed, thus yielding an outcome (fourth premise). The return 
value of F is computed from this outcome and from the return type of F (fifth premise): 
for a function returning void, the body must terminate by Normal or Return and the return 
value is undef; for other functions, the body must terminate by Return(v) and the return 
value is v. Finally, the memory blocks b* that were allocated for the parameters and local 
variables are freed before returning to the caller. 

A call to an external function Fe simply generates an input/output event recorded in the 
trace resulting from that call (rulel33b. 
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G = globalenv(P) M = initmem(P) 
synibol(G,niain(P)) = \b\ funct(G,fc) = [/J G h /(iiil),M 4- int(n),M' ^^^^ 
h P =^ terminates((,n) 
G = globalenv(P) M = initm6ni(P) 
syiiibol(G,maiii(P)) = [foj funct(G,/)) = [/J G h 4> ~ ^^^^ 
h P diverges (T) 

Fig. 12 Observable behaviors of programs 

3.4 Statements and function invocations, diverging case 

Figure [TT| shows some of the rules that model divergence of statements and function invo- 
cations. As denoted by the double horizontal bars, these rules are to be interpreted coin- 
ductively, as greatest fixpoints, instead of the standard inductive interpretation (smallest fix- 
points) used for the other rules in this paper. In other words, just like terminating executions 
correspond to finite derivation trees, diverging executions correspond to infinite derivation 
trees 1301 . 

A sequence s\;s2 diverges either if s\ diverges, or if terminates normally and S2 di- 
verges (rules [34landl35b. Likewise, a loop diverges either if its body diverges, or if it termi- 
nates normally or by continue and the next iteration of the loop diverges (mlesl36landl37l>. 
A third case of divergence corresponds to an invocation of a function whose body diverges 
(rules[38]and[39ll. 



3.5 Program executions 

Figure [12] defines the execution of a program P and the determination of its observable 
behavior. A global environment and a memory state are computed for P, where each global 
variable is mapped to a fresh memory block. Then, the main function of P is resolved and 
applied to the empty list of arguments. If this function invocation terminates with trace t and 
result value int(n), the observed behavior of P is terminates (f,H) (rule|4Qll. If the function 
invocation diverges with a possibly infinite trace T , the observed behavior is diverges (T) 
(mle|4T]l. 



4 Using Clight in the CompCert compiler 

In this section, we informally discuss how Clight is used in the CompCert verified compiler 



4. 1 Producing Clight abstract syntax 

Going from C concrete syntax to Clight abstract syntax is not as obvious as it may sound. Af- 
ter an unsuccessful attempt at developing a parser, type-checker and simplifier from scratch, 
we elected to reuse the CIL library of Necula et al. 1331 . CIL is written in OCaml and 
provides the following facilities: 
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1. A parser for ISO C99 (plus GCC and Microsoft extensions), producing a parse tree that 
is still partially ambiguous. 

2. A type-checker and elaborator, producing a precise, type-armotated abstract syntax tree. 

3. A simplifier that replaces many delicate constructs of C by simpler constructs. For in- 
stance, function calls and assignments are pulled out of expressions and lifted to the 
statement level. Also, block-scoped variables are lifted to function scope or global scope. 

4. A toolkit for static analyses and transformations performed over the simplified abstract 
syntax tree. 

While conceptually distinct, (2) and (3) are actually performed in a single pass, avoiding the 
creation of the non-simplified abstract syntax tree. 

Thomas Moniot and the authors developed (in OCaml) a simple translator that produces 
Clight abstract syntax from the output of CEL. Much information produced by CIL is simply 
erased, such as type attributes and qualifiers, struct and union types are converted from 
the original named representation to the structural representation used by Clight. String 
literals are turned into global, initialized arrays of characters. Finally, constructs of C that 
are unsupported in Clight are detected and mearungful diagnostics are produced. 

The simplification pass of CIL sometimes goes too far for our needs. In particular, the 
original CIL transforms all C loops into while(l) {...}■ loops, sometimes inserting 
goto statements to implement the semantics of continue. Such CIL-inserted goto state- 
ments are problematic in Chght. We therefore patched CIL to remove this simphfication of 
C loops and natively support while, do and for loops 

CIL is an impressive but rather complex piece of code, and it has not been formally 
verified. One can legitimately wonder whether we can trust CIL and our hand-written trans- 
lator to preserve the semantics of C programs. Indeed, two bugs in this part of CompCert 
were found during testing: one that we introduced when adding native support for for loops; 
another that is present in the unmodified CIL version 1.3.6, but was corrected since then. 

We see two ways to address this concern. First, we developed a pretty-printer that dis- 
plays Clight abstract syntax tree in readable, C concrete syntax. This printer makes it possi- 
ble to conduct manual reviews of the transformations performed by CIL. Moreover, exper- 
iment shows that re -parsing and re-transforming the simplified C syntax printed from the 
Chght abstract syntax tree reaches a fixed point in one iteration most of the time. This does 
not prove anything but nonetheless instills some confidence in the approach. 

A more radical way to establish trust in the CIL-based Clight producer would be to 
formally verify some of the simplifications performed. A prime candidate is the simplifi- 
cation of expressions, which transforms C expressions into equivalent pairs of a statement 
(performing all side effects of the expression) and a pure expression (computing the final 
value). Based on initial experiments on a simple "while" language, the Coq verification of 
this simplification appears difficult but feasible. We leave this line of work for future work. 

4.2 Compiling Clight 

The CompCert C compiler is structured in two parts: a front-end compiler translates Chght 
to an intermediate language called Cminor, without performing any optimizations; a back- 
end compiler generates PowerPC assembly code from the Cminor intermediate representa- 
tion, performing good register allocation and a few optimizations. Both parts are composed 
of multiple passes. Each pass is proved to preserve semantics: if the input program P has 
observable behavior B, and the pass translates P to P' without reporting a compile-time er- 
ror, then the output program P' has the same observable behavior B. The proofs of semantic 
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preservation are conducted with the Coq proof assistant. To facilitate the proof, the compiler 
passes are written directly in the specification language of Coq, as pure, recursive functions. 
Executable Caml code for the compiler is then generated automatically from the functional 
specifications by Coq's extraction facility. 

The back-end part of CompCert is described in great detail in [28]. We now give an 
overview of the front-end, starting with a high-level overview of Cminor, its target interme- 
diate language. (Refer to [28, section 4] for detailed specifications of Cminor.) 

Cminor is a low-level imperative language, structured like Clight into expressions, state- 
ments, and functions. A first difference with CUght is that arithmetic operators are not over- 
loaded and their behavior is independent of the static types of their operands: distinct oper- 
ators are provided for integer arithmetic and floating-point arithmetic. Conversions between 
integers and floats are explicit. Likewise, address computations are explicit in Cminor, as 
well as individual load and store operations. For instance, the C expression a[x] where a is 
a pointer to int is expressed as load(int32, a +/ x *, 4), making explicit the memory 
quantity being addressed (int32) as well as the address computation. 

At the level of statements, Cminor has only 5 control structures: if-then-else condition- 
als, infinite loops, block-exit, early return, and goto with labeled statements. The exit n 
statement terminates the (n+l) enclosing block statements. 

Within Cminor functions, local variables can only hold scalar values (integers, pointers, 
floats) and they do not reside in memory. This makes it easy to allocate them to registers 
later in the back-end, but also prohibits taking a pointer to a local variable like the C op- 
erator & does. Instead, each Cminor function declares the size of a stack-allocated block, 
allocated in memory at function entry and automatically freed at function return. The ex- 
pression addrstack(n) returns a pointer within that block at constant offset n. The Cminor 
producer can use this block to store local arrays as well as local scalar variables whose 
addresses need to be taken. 

To translate from Clight to Cminor, the front-end of CompCert C therefore performs the 
following transformations: 

1. Resolution of operator overloading and materialization of all type-dependent behaviors. 
Based on the types that annotate Clight expressions, the appropriate flavors (integer or 
float) of arithmetic operators are chosen; conversions between ints and floats, truncations 
and sign-extensions are introduced to reflect casts; address computations are generated 
based on the types of array elements and pointer targets; and appropriate memory chunks 
are selected for every memory access. 

2. Translation of while, do and for loops into infinite loops with blocks and early exits. 
The break and continue statements are translated as appropriate exit constructs. 

3. Placement of Clight variables, either as Cminor local variables (for local scalar variables 
whose address is never taken), sub-areas of the Cminor stack block for the current func- 
tion (for local non-scalar variables or local scalar variables whose address is taken), or 
globally allocated memory areas (for global variables). 

In the first version of the front-end, developed by Zaynah Dargaye and the authors and 
published in [6}, the three transformations above were performed in a single pass, resulting 
in a large and rather complex proof of semantic preservation. To make the proofs more 
manageable, we split the front-end in two passes: the first performs transformations (1) 
and (2) above, and the second performs transformation (3). A new intermediate language 
called C#minor was introduced to connect the two passes. C#minor is similar to Cminor, 
except that it supports a & operator to take the address of a local variable. Accordingly, 
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the semantics of C#minor, like tliat of Clight, allocates one memory block for each local 
variable at function entrance, while the semantics of Cminor allocates only one block. 

To account for this difference in allocation patterns, the proof of semantic preservation 
for transformation (3) exploits the technique of memory injections formalized in 1291 section 
5.4]. It also involves nontrivial reasoning about separation between memory blocks and 
between sub-areas of a block. The proof requires about 2200 lines of Coq, plus 800 lines for 
the formalization of memory injections. 

The proof of transformations (1) and (2) is more routine: since the memory states match 
exactly between the original Clight and the generated C#minor, no clever reasoning over 
memory states, blocks and pointers is required. The Coq proof remains relatively large (2300 
lines), but mostly because many cases need to be considered, especially when resolving 
overloaded operators. 

5 Validating the Clight semantics 

Developing a formal semantics for a real-world programming language is no small task; but 
making sure that the semantics captures the intended behaviors of programs (as described, 
for example, by ISO standards) is even more difficult. The smallest mistake or omission in 
the rules of the semantics can render it incomplete or downright incorrect. Below, we list 
a number of approaches that we considered to validate a formal semantics such as that of 
Clight. Many of these approaches were prototyped but not carried to completion, and should 
be considered as work in progress. 

5.1 Manual reviews 

The standard way to build confidence in a formal specification is to have it reviewed by 
domain experts. The size of the semantics for Clight makes this approach tedious but not 
downright impossible: about 800 lines of Coq for the core semantics, plus 1000 lines of Coq 
for dependencies such as the formalizations of machine integers, floating-point numbers, 
and the memory model. The fact that the semantics is written in a formal language such 
as Coq instead of ordinary mathematics is a mixed blessing. On the one hand, the type- 
checking performed by Coq guarantees the absence of type errors and undefined predicates 
in the specification, while such trivial errors are common in hand-written semantics. On the 
other hand, domain experts might not be familiar with the formal language used and could 
prefer more conventional presentations as e.g. inference rales. (We have not yet found any C 
language expert who is comfortable with Coq, while several of them are fluent with inference 
rules.) Manual transliteration of Coq specifications into MgX inference rules (as we did in 
this paper) is always possible but can introduce or (worse) mask errors. Better approaches 
include automatic generation of MgX from formal specifications, like Isabelle/HOL and Ott 

do dnim. 

5.2 Proving properties of the semantics 

The primary use of formal semantics is to prove properties of programs and meta-properties 
of the semantics. Such proofs, especially when conducted on machine, are effective at re- 
vealing errors in the semantics. For example, in the case of strongly-typed languages, type 
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soundness proofs (showing that well-typed programs do not go wrong) are often used for 
this purpose. In the case of Clight, a type soundness proof is not very informative, since the 
type system of C is coarse and unsound to begin with: the best we could hope for is a subject 
reduction property, but the progress property does not hold. Less ambitious sanity checks 
include "common sense" properties such as those of the f ield_off set function mentioned 
at end of section lZTl as well as determinism of evaluation, which we obtained as a corollary 
of the verification of the CompCert compiler 1281 sections 2.1 and 13.3]. 

5.3 Verified translations 

Extending the previous approach to proving properties involving two formal semantics in- 
stead of one, we found that proving semantics preservation for a translation from one lan- 
guage to another is effective at exposing errors not only in the translation algorithm, but 
also in the semantics of the two languages involved. If the translation "looks right" to com- 
piler experts and the semantics of the target language has already been debugged, such a 
proof of semantic preservation therefore generates confidence in the semantics of the source 
language. In the case of CompCert, the semantics of the Cminor intermediate language is 
smaller (300 lines) and much simpler than that of Clight; subsequent intermediate languages 
in the back-end such as RTL are even simpler, culminating in the semantics of the PPC 
assembly language, which is a large but conceptually trivial transition function (2E\. The 
existence of semantic-preserving translations between these languages therefore constitutes 
an indirect validation of their semantics. 

Semantic preservation proofs and type soundness proofs detect different kinds of errors 
in semantics. For a trivial example, assume that the Clight semantics erroneously interprets 
the + operator at type int as integer subtraction. This error would not invalidate an hy- 
pothetical type soundness proof, but would show up immediately in the proof of semantic 
preservation for the CompCert front-end, assuming of course that we did not commit the 
same error in the translations nor in the semantics of Cminor. On the other hand, a type 
soundness proof can reveal that an evaluation rule is missing (this shows up as failures of 
the progress property). A semantic preservation proof can point out a missing rule in the 
semantics of the target language but not in the semantics of the source language, since it 
takes as hypothesis that the source program does not go wrong. 

5.4 Testing executable semantics 

Just like programs, formal specifications can be tested against test suites that exemplifies 
expected behaviors. An impressive example of this approach is the HOL specification of the 
TCP/IP protocol by Sewell et al. |5|, which was extensively validated against network traces 
generated by actual implementations of the protocol. 

In the case of formal semantics, testing requires that the semantics is executable: there 
must exist an effective way to determine the result of a given program in a given initial envi- 
ronment. The Coq proof assistant does not provide efficient ways to execute a specification 
written using inductive predicates such as our semantics for Clight. (But see [11] for ongo- 
ing work in this direction.) As discussed in fi\, the eauto tactic of Coq, which performs 
Prolog-style resolution, can sometimes be used as the poor man's logic interpreter to exe- 
cute inductive predicates. However, the Clight semantics is too large and not syntax-directed 
enough to render this approach effective. 
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On the other hand, Coq provides excellent facilities for executing specifications written 
as recursive functions: an interpreter is built in the Coq type-checker to perform conversion 
tests; Coq 8.0 introduced a bytecode compiler to a virtual machine, speeding up the eval- 
uation of Coq terms by one order of magnitude |15|; finally, the extraction facility of Coq 
can also be used to generate executable Caml code. The recommended approach to execute 
a Coq specification by inductive predicates, therefore, is to define a reference interpreter 
as a Coq function, prove its equivalence with the inductive specification, and evaluate ap- 
plications of the function. Since Coq demands that all recursive functions terminate, these 
interpretation functions are often parameterized by a nonnegative integer counter n bound- 
ing the depth of the evaluation. Taking the execution of Clight statements as an example, the 
corresponding interpretation function is of the shape 

exec.stmt(W, n,G,E,M,s) = Bottom(f) | Result {t , out, M') \ Error 

where n is the maximal recursion depth, G,E,M are the initial state, and s the statement 
to execute. The result of execution is either Error, meaning that execution goes wrong, or 
Result(r,oM?,M'), meaning that execution terminates with trace 1, outcome out and final 
memory state M', or Bottom(r), meaning that the maximal recursion depth was exceeded 
after producing the partial trace t. To handle the non-determinism introduced by input/output 
operations, exec_stmt is parameterized over a world W: a partial function that determines 
the result of an input/output operation as a function of its arguments and the input/output 
operation previously performed [28 , section 13.1]. 

The following two properties characterize the correctness of the exec_stmt function 
with respect to the inductive specification of the semantics: 

G,E \- s,M =^ out,M' A W |=f <^ 3n, exec.stmt{W, n, G, E, M, s) = Result {t, out, M) 

G,E ]~ s,M ^ o° A W \= T ^ yn,3t, exec.stmt{W, n,G,E,M,s) = Bottom(r) 

A f is a prefix of T 

Here, ^ ? means that the trace t is consistent with the world W, in the sense of 11281 section 
13.1]. See f30| for detailed proofs of these properties in the simpler case of call-by-value A- 
calculus without traces. The proof of the second property requires classical reasoning with 
the axiom of excluded middle. 

We are currently implementing the approach outlined above, although it is not finished 
at the time of this writing. Given the availability of the CompCert verified compiler, one 
may wonder what is gained by using a reference Clight interpreter to ran tests, instead of 
just compiling them with CompCert and executing the generated PowerPC assembly code. 
We believe that nothing is gained for test programs with well-defined semantics. However, 
the reference interpreter enables us to check that programs with undefined semantics do go 
wrong, while the CompCert compiler can (and often does) turn them into correct PowerPC 
code. 



5.5 Equivalence with alternate semantics 

Yet another way to validate a formal semantics is to write several alternate semantics for the 
same language, using different styles of semantics, and prove logical implications between 
them. In the case of the Cminor intermediate language and with the help of Andrew Appel, 
we developed three semantics: (1) a big-step operational semantics in the style of the Clight 
semantics described in the present paper 127 J : (2) a small-step, continuation-based semantics 
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I2l l28l : (3) an axiomatic semantics based on separation logic \ 2\. Semantics (1) and (3) were 
proved correct against semantics (2). Likewise, for Clight and with the help of Keiko Nakata, 
we prototyped (but did not complete yet) three alternate semantics to the big-step operational 
semantics presented in this paper: (1) a small-step, continuation-based semantics; (2) the 
reference interpreter outlined above; (3) an axiomatic semantics. 

Proving the correctness of a semantics with respect to another is an effective way to find 
mistakes in both. For instance, the correctness of an axiomatic semantics against a big-step 
operational semantics without traces can be stated as follows: if is a valid Hoare 

triple, then for all initial states G,E,M satisfying the precondition P, either the statement s 
diverges (G,E h o°) or it terminates (G,E \- s,M =^ out,M') and the outcome out and 

the final state G,E,M' satisfy postcondition Q. The proof of this property exercises all cases 
of the big-step operational semantics and is effective at pointing out mistakes and omissions 
in the latter. Extending this approach to traces raises delicate issues that we have not solved 
yet. First, the axiomatic semantics must be extended with ways for the postconditions Q 
to assert properties of the traces generated by the execution of the statement s. A possible 
source of inspiration is the recent work by Hoare and O'Heam | 20]. Second, in the case of 
a loop such as {P} while (a) s {Q}, we must not only show that the loop either terminates 
or diverges without going wrong, as in the earlier proof, but also prove the existence of the 
corresponding traces of events. In the diverging case, this runs into technical problems with 
Coq's guardedness restrictions on coinductive definitions and proofs. 

In the examples given above, the various semantics were written by the same team and 
share some elements, such as the memory model and the semantics of Clight expressions. 
Mistakes in the shared parts will obviously not show up during the equivalence proofs. 
Relating two independently-written semantics would provide a more convincing validation. 
In our case, an obvious candidate for comparison with Clight is the Cholera semantics of 
Norrish f36 i|. There are notable differences between our semantics and Cholera, discussed 
in section |6l but we believe that our semantics is a refinement of the Cholera model. A 
practical issue with formalizing this intuition is that Cholera is formalized in HOL while our 
semantics is formalized in Coq. 



6 Related work 

Mechanized semantics for C The work closest to ours is Norrish's Cholera project 1361 , 
which formalizes the static and dynamic semantics of a large subset of C using the HOL 
proof assistant. Unlike Clight, Cholera supports side effects within expressions and accounts 
for the partially specified evaluation order of C. For this purpose, the semantics of expres- 
sions is given in small-step style as a non-deterministic reduction relation, while the se- 
mantics of statements is given in big-step style. Norrish used this semantics to characterize 
precisely the amount of non-determinism allowed by the C standard [37] . Also, the memory 
model underlying Cholera is more abstract than that of Clight, leaving unspecified a number 
of behaviors that Clight specifies. 

Tews et al I46II47I developed a denotational semantics for a subset of the C++ language. 
The semantics is presented as a shallow embedding in the PVS proven Expressions and 
statements are modeled as state transformers: functions from initial states to final states plus 
value (for expressions) or outcome (for statements). The subset of C++ handled is close to 
our Clight, with a few differences: side effects within expressions are allowed (and treated 
using a fixed evaluation order); the behavior of arithmetic operations in case of overflow is 
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not specified; the goto statement is not handled, but the state transformer approach could be 
extended to do so |45]|. 

Using the Coq proof assistant, Gimenez and Ledinot |14|| define a denotational seman- 
tics for a subset of C appropriate as target language for the compilation of the Lustre syn- 
chronous dataflow language. Owing to the particular shape of Lustre programs, the subset 
of C does not contain general loops nor recursive functions, but only counted for loops. 
Pointer arithmetic is not supported. 

As part of the Verisoft project |40], the semantics of a subset of C called CO has been 
formalized using Isabelle/HOL, as well as the correctness of a compiler from CO to DLX as- 
sembly language I26ll44p ll. CO is a type-safe subset of C, close to Pascal, and significantly 
smaller than Clight: for instance, there is no pointer arithmetic, nor break and continue 
statements. A big-step semantics and a small-step semantics have been defined for CO, the 
latter enabling reasoning about non-terminating executions. 

Paper and pencil semantics for C Papaspyrou 1 39 1 develops a monadic denotational seman- 
tics for most of ISO C. Non-determinism in expression evaluation is modeled precisely. The 
semantics was validated by testing with the help of a reference interpreter written in Haskell. 

Nepomniaschy et al. \ 34] define a big-step semantics for a subset of C similar to Pascal: 
it supports limited uses of goto statements, but not pointer arithmetic. 

Abstract state machines have been used to give semantics for C I16II and for C# (Vj. 
The latter formalization is arguably the most complete (in terms of the number of language 
features handled) formal semantics for an imperative language. 

Other examples of mechanized semantics Proof assistants were used to mechanize seman- 
tics for languages that are higher-level than C. Representative examples include | 23 ,25 | for 
Standard ML, 1381 for a subset of OCaml, and I24II for a subset of Java. Other Java-related 
mechanized verifications are surveyed in fl8|. Many of these semantics were validated by 
conducting type soundness proofs. 

Subsets of C Many uses of C in embedded or critical applications mandate strict coding 
guidelines restricting programmers to a "safer" subset of C 1 19]. A well-known example is 
MISRA C |32]. MISRA C and Clight share some restrictions (such as structured switch 
statements with default cases at the end), but otherwise differ significantly. For instance, 
MISRA C prohibits recursive functions, but permits all uses of goto. More generally, the 
restrictions of MISRA C and related guidelines are driven by software engineering consid- 
erations and the desire for tool-assisted checking, while the restrictions of Clight stem from 
the desire to keep its formal semantics manageable. 

Several tools for static analysis and deductive verification of C programs use simplified 
subsets of C as intermediate representations. We already discussed the CIL intermediate 
representation 1331 . Other examples include the Frama-C intermediate representation (8), 
which extends CIL's with logical assertions, and the Newspeak representation |22|. CIL is 
richer than Clight and accurately represents all of ISO C plus some extensions. Newspeak is 
lower-level than Clight and targeted more towards static analysis than towards compilation. 

7 Conclusions and future work 

In this article, we have formally defined the Clight subset of the C programming language 
and its dynamic semantics. While there is no general agreement on the formal semantics of 
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the C language, we believe that Clight is a reasonable proposal that works well in the context 
of the formal verification of a compiler. We hope that, in the future, Clight might be useful 
in other contexts such as static analyzers and program provers and their formal verification. 

Several extensions of Clight can be considered. One direction, discussed in |29|, is to 
relax the memory model so as to model byte- and bit-level accesses to in-memory data 
representations, as is commonly done in systems programming. 

Another direction is to add support for some of the C constructs currently missing, in 
particular the goto statement. The main issue here is to formalize the dynamic semantics of 
goto in a way that lends itself well to proofs. Natural semantics based on statement outcomes 
can be extended with support for goto by following the approach proposed by Tews f451, 
but at the cost of nearly doubling the size of the semantics. Support for goto statements is 
much easier to add to transition semantics based on continuations, as the Cminor semantics 
exemplifies f28' section 4]. However, such transition semantics do not lend themselves easily 
to proving transformations of loops such as those performed by the front-end of CompCert 
(transformation 2 in section l4!2l l. 

Finally, the restriction that Clight expressions are pure is both a blessing and a curse: 
on the one hand, it greatly simplifies all further processing of Clight, be it compilation, 
static analysis or program verification; on the other hand, programmers cannot be expected 
to directly write programs where all expressions are pure, requiring nontrivial, untrusted 
program transformations in the Clight parser. One way to address this issue would be to 
define an extension of Clight, tentatively called Cmedium, that supports side effects within 
expressions, and develop and prove correct a translation from Cmedium to Clight. 
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